Researcher uses Dirty Pipe exploit to fully root Pixel 6 Pro and Samsung S22

A researcher has successfully used a critical Dirty Pipe vulnerability in Linux in order to fully root two Android phone models – Pixel 6 Pro and Samsung S22 – in a hack that demonstrates the power of exploiting a newly discovered operating system flaw.

The researcher chose these two phone models for good reason: They are among the few — if not the only — devices known to run Android 5.10.43, the only version of Google’s mobile operating system exposed to Dirty Pipe. Because the LPE, or local privilege escalation, vulnerability was not introduced until the recently released 5.8 of the Linux kernel, the world of exploitable devices—whether mobile, IoT, or servers and desktops—is relatively small.

Behold, a reverse shell with root privileges

But for devices that package affected Linux kernel versions, Dirty Pipe offers hackers—both benign and malicious—a platform to bypass normal security controls and gain full root control. From there, a malicious app can surreptitiously steal your authentication credentials, photos, files, messages, and other sensitive data. me I mentioned last weekDirty Pipe is one of the most dangerous Linux threats exposed since 2016, the year another highly dangerous and easy to exploit Linux flaw named Dirty Cow surfaced.

Android uses security mechanisms such as selino and sandboxes, which often make exploits difficult, if not impossible. Despite the challenge, successful Android rooting shows that Dirty Pipe is a viable attack vector against vulnerable devices.

“It’s exciting because most Linux kernel vulnerabilities will not be useful for Android exploits,” he said. Valentina Palmiotti, Principal security researcher at security firm Grapl, in an interview. The vulnerability is “notable because there have only been a few public Android LPEs in recent years (compare that to iOS where there have been many). Although it only runs 5.8 cores and above, it is limited to the two devices we saw in the demo.”

at View a video Posted on Twitter, a security researcher asked to be identified only through his Twitter account fire 30 He runs a custom app that he wrote, first on the Pixel 6 Pro and then on the Samsung S22. Within seconds, a reverse shell opens giving full root access on a computer connected to the same Wi-Fi network. From there, the Fire30 has the ability to bypass most Android built-in security measures.

The achieved root is restricted, which means it can’t survive on reboot. This means that hobbyists who want to root their devices so that they have capabilities that are not normally available, must perform the procedure every time the phone is turned on, which is an unattractive requirement for many rooting hobbyists. However, researchers may find this technique more valuable, as it allows them to make diagnoses that would not otherwise be possible.

But perhaps the most interested group are people trying to install malicious tools. As the video shows, the attacks are likely to be quick and stealthy. All that is required is local access to the device, usually in the form of running a malicious application. Even if the world of vulnerable hardware is relatively young, there is no doubt that Dirty Pipe can be used to completely conquer it.

“This is a highly reliable exploit that will work without customization on all vulnerable systems,” Christoph Heibeizen, head of security research at mobile security firm Lookout, wrote in an email. “This makes it a very attractive exploit for attackers to use. I would expect armed versions of the exploit to emerge, and they will be used as the preferred exploit when a vulnerable device is encountered because the exploit is reliable. Also, it might be a good idea to be included in rooting tools for users who are rooting their own devices.” “

It also makes sense that other types of devices running weak versions of Linux can also be easily rooted using Dirty Pipe. On Monday, storage device maker QNAP said that some of its NAS devices are affected by the vulnerability and the company’s engineers are in the process of thoroughly investigating how this happened. QNAP does not currently have any mitigations and recommends users to check back and install security updates as soon as they are available.